Pages

Monday, July 4, 2011

Asterisk DoS Vulnerabilities

One of the latest internal project included heavy use of Asterisk PBX, which is the most popular open source VOIP solution nowadays.Positive Research decided to check Asterisk's implementation of SIP protocol from security perspective. First things first and we used PROTOS test suite specifically developed for SIP testing. Test base includes checks for overflows, format strings, utf processing and more - you can check the whole list at their website (https://www.ee.oulu.fi/research/ouspg/PROTOS_Test-Suite_c07-sip).
This resulted in two denial of service vulnerabilities being found. Both of them were on their way to the vendor when we discovered that while we were preparing the advisories they were already reported by internal staff of Digium. The vulnerabilities affected version of 1.8.x to 1.8.4.3.
Security fixed version 1.8.4.4 is already provided at the Asterisk website. Let's look at the details of both vulnerabilities to understand better the nature of software security flaws.

First bug triggers when Asterisk recieves SIP request with malformed Contact field. RFC3261 SIP - Session Initiation Protocol: "The Contact header field provides a SIP or SIPS URI that can be used...". SIP URI in Contact field should be provided in brackets: "Contact: ".
Removing the left bracket of URI record and sending the request to Asterisk leads to a crash. PBX fails to correctly parse the contact information from the string without proper brackets. Source code snippets from channels/sip/reqresp_parser.c with bug details:

Second vulnerability exists in the process of reading SIP packet from socket and copying it to internal structures. Pseudo code of socket data reading and filling the request structure:recieved_length = read_socket(&buffer)copy(sip_request.data, buffer)sip_request.length = recieved_length

We can see that data field of sip_request structure contains the actual data being sent to PBX. Copy process from buffer to data variable is done by vsnprintf function and is restricted by constant size, while the size sip_request.length is inherited from data captured directly from the wire. By inserting null-byte terminators into the message the length of data copied is smaller than assigned length to request structure. Later usage of sip_request.length leads to memory corruption which results in numerous faults.